Security researchers have discovered compromised websites targeting Android devices with a suspicious mobile application, in what appears to be the first time the drive-by attack technique is being used by cybercriminals via hacked sites to target mobile users.
A device infected with NotCompatible could potentially be used to gain access to protected information or systems, such as those maintained by enterprise or government.
The research team at San Francisco-based mobile security firm Lookout Inc. discovered compromised websites hosting a download called NotCompatible. An Android user could fall victim to the attack by simply visiting a compromised website in their mobile Web browser. The malicious code automatically begins downloading the suspicious NotCompatible application.
So far the threat of Android users falling victim to mobile drive-by attacks appears to be low. Lookout said it discovered the Android attack being used on two compromised websites and traced the communication to a .eu command-and-control server. The attack itself involves a high amount of user interaction. Once the application is downloaded, the user will be prompted to click on a notification to confirm the install. For the attack to work, victims must have their Android device set to accept apps from unknown sources.
The attackers appear to be compromising sites with a hidden iFrame at the bottom of each page, Lookout said. NotCompatible, which appears to the victim as an application called “Update.apk” poses as a system update, but sets up the phone as a proxy that can be used to access private networks. Lookout said it has not seen any malicious activity associated with infected devices.
“This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy,” Lookout said in a blog post describing the mobile drive-by attack technique. “A device infected with NotCompatible could potentially be used to gain access to protected information or systems, such as those maintained by enterprise or government.”
Attacks targeting Android devices have increased, making it the top mobile malware platform, according to Kaspersky Lab, but most experts admit the risk from mobile malware is still extremely low. A larger threat looming for enterprises is lost and stolen devices and data leakage, said security experts. At RSA Conference 2012, security experts called for more Android mobile malware research to try to address the issue before attacks become more widespread. The fear is that some apps can become weaponized to collect sensitive data and perform unauthorized activity.